What are reasonable steps to preserve potentially relevant data under the FRCP? In this case, the court ruled that a data breach didn’t warrant spoliation sanctions—even if data was lost—if reasonable data security measures were taken.
In this case, the defendant contended that a variety of discovery violations were committed by the plaintiff, including but not limited to (1) not obeying a court issued discovery order and (2) potential spoliation.
At the start of discovery, the magistrate judge ordered the plaintiff to produce data from related litigation in response to the defendant’s production requests. While the plaintiff did produce some requested data, the failed to meet the production deadline from the court.
Additionally, the defendant argued that the plaintiff still had not produced responsive documents in their control. At the court hearing, the plaintiff conceded that they “ had made no effort to produce documents” held by counsel from a related matter.
Regarding the alleged spoliation, the plaintiff’s database had been hacked and potentially relevant data may have been lost.
Download the PDF version of this case law alert here.
Inevitably, the worlds of data breach and data preservation are bound to intersect. In this case, spoliation sanctions were not warranted when the data loss was due to data breach, based on how the party protected its systems (but read the fine print). Interesting, the court also states that the defendant did not prove that relevant evidence was spoliated by the hack. When a data breach occurs, what the court considers in spoliation analysis may be different than when spoliation occurs in more traditional ways.